Yes they can.
Shell is not needed to execute commands using the privileges of the user running the service.
Anyway - weakness in the service running under unprivileged user is used to gain access to local system and then that access is used to run a local root exploit(s) (which are more common than remote root exploits).
About detection - there is no universal and foolproof way. It helps to have syslog logging to remote machine and running stealth IDS systems between services and internet.

People exploit Apache all the time, so I know it's possible. For example in Absolute FreeBSD 2nd edition the author said the attacker can get around not having a home directory by using /tmp which is world writable.

I suspect a way to detect an attack on Apache running as user 'www' where perhaps the attacker hasn't yet gotten full access would be to check /tmp for files owned by www.

It just seems like there has to be more sophisticated ways to detect something like that on the host level. Such as the Kernel realizing and logging commands that the user www is trying to carry out.

It just seems like there has to be more sophisticated ways to detect something like that on the host level. Such as the Kernel realizing and logging commands that the user www is trying to carry out.

Ah, maybe you need to take a close look at MAC.

In the case of apache, you could also consider running it inside a FreeBSD jail. At least in this case you can keep a "cold spare" backup of the jail on standby and learn enough from an exploit to lock it down and then fire it up again. Additionally, even if apache within a jail is compromised, it'll be a lot more difficult to cause problems on the host system.